TCPDump Explained | Packet Analysis | TryHackMe TCPDump

This post is a tutorial on the basics of using TCPdump, a command-line packet capturing tool commonly used in cybersecurity. This tutorial also provides the answres of TryHackMe TCPDump room.

Offensive Security Certified Professional Study Notes and Guide

This is a 1541 pages of notes that will guide and help you prepare for and pass the OSCP exam taking into account the…

Certified Cyber Defender (CCD) Study Notes

Table of Contents:About CCDAbout The ExamExam TipsOther Prep ResourcesSOC FundamentalsSecurity ControlsIncident…

Introduction to TCPdump

TCPdump is introduced as a command-line tool for capturing and analyzing network traffic, similar to Wireshark.

The tutorial covers capturing live traffic, reading packets from .pcap files, and using filters to extract insights.

Setting Up TCPdump

• To capture live traffic, the network interface must be specified using the -i flag.
  Example:

sudo tcpdump -i ens5

The command ip address show is recommended to identify available network interfaces.

Saving Captured Packets

To save captured packets for later analysis:

sudo tcpdump -i ens5 -w packets.pcap

Reading from a Capture File

Packets can be read from .pcap files without needing superuser permissions:

tcpdump -r packets.pcap

Limiting Captured Packets

The -c flag limits the number of packets captured or processed.
Example:

tcpdump -r traffic.pcap -c 5

Disabling DNS and Port Resolution

Use -n to disable IP-to-DNS resolution and -nn to disable both DNS and port number resolution.

Verbose Mode

-v, -vv, and -vvv increase the verbosity of the output, providing more packet details.

Basic Filtering Techniques

IP Address Filtering:

• Filter by source or destination

tcpdump -r traffic.pcap src host tryhackme.com 
tcpdump -r traffic.pcap dst host tryhackme.com

Port Filtering:

• Filter by source or destination ports

tcpdump -r traffic.pcap dst port 80 
tcpdump -r traffic.pcap port 80

Protocol Filtering:

• Filter by protocols like ICMP, TCP, UDP

tcpdump -r traffic.pcap icmp 
tcpdump -r traffic.pcap udp

Counting Packets

Use wc -l to count the number of packets captured

tcpdump -r traffic.pcap port 80 | wc -l

TCP Flags Filtering

TCP flags like SYN, ACK, FIN, RST, and PSH are used to filter packets by connection state.
Example for SYN flag only:

tcpdump -r traffic.pcap 'tcp[tcpflags] == tcp-syn'

• Combine flags using logical operators

tcpdump -r traffic.pcap 'tcp[tcpflags] & tcp-syn != 0'

Conclusion

• The post emphasizes using TCPdump efficiently to analyze network traffic and detect anomalies.
• Practical demonstrations cover real-world scenarios for network analysis.

TryHackMe TCPDump | Room Answers

Room answers can be found here.

Video Walkthrough